HttpParser detects more bad status #11749

Fix #11749 by detecting more bad status codes
jetty · Oct 24, 2024 · f16d5d8 · f16d5d8
1 parent ffdfada
commit f16d5d8
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java b/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
@@ -827,8 +827,8 @@ else if (Violation.CASE_INSENSITIVE_METHOD.isAllowedBy(_complianceMode))
                         case COLON:
                             if (!_requestParser)
                             {
-                                if (t.getType() != HttpTokens.Type.DIGIT)
-                                    throw new IllegalCharacterException(_state, t, buffer);
+                                if (t.getType() != HttpTokens.Type.DIGIT || t.getByte() == '0')
+                                    throw new BadMessageException("Bad status");
                                 setState(State.STATUS);
                                 setResponseStatus(t.getByte() - '0');
                             }
@@ -874,6 +874,8 @@ else if (Violation.CASE_INSENSITIVE_METHOD.isAllowedBy(_complianceMode))
                     switch (t.getType())
                     {
                         case SPACE:
+                            if (_responseStatus < 100)
+                                throw new BadMessageException("Bad status");
                             setState(State.SPACE2);
                             break;
 
@@ -890,7 +892,7 @@ else if (Violation.CASE_INSENSITIVE_METHOD.isAllowedBy(_complianceMode))
                             break;
 
                         default:
-                            throw new IllegalCharacterException(_state, t, buffer);
+                            throw new BadMessageException("Bad status");
                     }
                     break;
 

diff --git a/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java b/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
@@ -1715,6 +1715,22 @@ public void testResponse101WithTransferEncoding(String eoln)
         assertTrue(_messageCompleted);
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {"xxx", "0", "00", "50", "050", "0200", "1000", "2xx"})
+    public void testBadResponseStatus(String status)
+    {
+        ByteBuffer buffer = BufferUtil.toBuffer("""
+                HTTP/1.1 %s %s\r
+                Content-Length:0\r
+                \r
+                """.formatted(status, status), StandardCharsets.ISO_8859_1);
+
+        HttpParser.ResponseHandler handler = new Handler();
+        HttpParser parser = new HttpParser(handler);
+        parser.parseNext(buffer);
+        assertThat(_bad, is("Bad status"));
+    }
+
     @ParameterizedTest
     @ValueSource(strings = {"\r\n", "\n"})
     public void testResponseReasonIso88591(String eoln)